Hello
I need to run IPTABLES on a linux box from a CGI on apache web server, but i need to run as apache user, not as root user, to avoid a secure vulnerability over the apache web server.
Do i need to recompile iptables or the kernel ?
Someone has done it before ?
Thanks for your comments.
Ing. Israel Zavalza Bahena Technology Strategic Manager of INTERTIENDAS Network Center
From: netfilter-request@xxxxxxxxxxxxxxxxxxx Reply-To: netfilter@xxxxxxxxxxxxxxxxxxx To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: netfilter digest, Vol 1 #872 - 10 msgs Date: Fri, 30 May 2003 22:40:16 +0200
Send netfilter mailing list submissions to netfilter@xxxxxxxxxxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit https://lists.netfilter.org/mailman/listinfo/netfilter or, via email, send a message with subject or body 'help' to netfilter-request@xxxxxxxxxxxxxxxxxxx
You can reach the person managing the list at netfilter-admin@xxxxxxxxxxxxxxxxxxx
When replying, please edit your Subject line so it is more specific than "Re: Contents of netfilter digest..."
Today's Topics:
1. Need some clarity (Michael Carroll)
2. Skipping connection tracking for certain traffic types? (Ville Mattila)
3. Usage of netfilter (Aditya Bhasin)
4. A problem - connections dies (Peter Pohlmann)
5. vpn between networks with private ip network segment conflicts (dtrott@xxxxxxxxxxxxx)
6. RE: upgrade to iptabels from ipchains (John Friel III)
7. Re: SOLVED : Re: where is libipt_match.so? (David T-G)
8. RE: upgrade to iptables from ipchains (John Friel III)
9. iptables/conntrack in enterprise environment. (Preston A. Elder)
10. Re: [netfilter-core] iptables/conntrack in enterprise environment. (Preston A. Elder)
--__--__--
Message: 1 Date: Tue, 27 May 2003 14:45:54 -0400 From: Michael Carroll <ingenious@xxxxxxxx> To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Need some clarity
Hello netfilter development crew,
I have a couple, probably straight foreward questions, but I don't know the answers to and would like to just to clear things up a little bit.
# Generated by iptables-save v1.2.7a on Tue Apr 15 14:25:35 2003 *nat :PREROUTING ACCEPT [7595:344053] :POSTROUTING ACCEPT [80:4556] :OUTPUT ACCEPT [63:3755] COMMIT
That is what is generated when I first do an 'iptables-save > /dir' now I was wondering what all the numbers inside those brackets stood for, because when I start to add rules to them those numbers start to change. They also add the user defined rules just before the COMMIT. Does it matter in how you type out you iptables rules, like you should DROP everything first, then start to 'open' ports up correct? Also one other thing what does the COMMIT mean?
Thank you in advance.
Michael Carroll
--__--__--
Message: 2 Date: Tue, 27 May 2003 22:49:56 +0300 (EET DST) From: Ville Mattila <vm@xxxxxx> To: netfilter@xxxxxxxxxxxxxxxxxxx cc: Ville Mattila <vm@xxxxxx> Subject: Skipping connection tracking for certain traffic types?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello all,
Correct me on this if I'm wrong: It is a feature of Netfilter that whenever conntrack is registered in kernel, then for example any UDP packet passing through the firewall causes the state table to be consulted resulting in either update of an old state entry if found or creation of a new state.
Now if the description above holds we have a slight problem.
At our site, connection tracking would be the nice way to handle the classic case of allowing responses to UDP requests initating from our internal network. The problem is that in the internal network there are several standalone (a.k.a. non-forwarding) caching nameservers sending about 100 dns queries per second through the firewall in the worst case. For us the default ip_conntrack_proto_udp.c timeout setting of 30 seconds for unreplied UDP requests and 180 seconds for assured streams could mean from 3 000 up to 18 000 state entries for these dns requests alone.
This problem would be solved if it was possible with Netfilter/iptables to skip connection tracking for some rules (servers sending dns queries and replies to them in our case), or better yet, not to track every connection by default but only when requested per rule. Is this kind of selective connection tracking possible already or will it possibly become supported in future conntrack versions?
Best regards, Ville
- -- Mr. Ville Mattila, vm@xxxxxx, http://iki.fi/vm/
-----BEGIN PGP SIGNATURE-----
iD8DBQE+08FytUJlHUfTfMERAoqUAJ9IVa+SDTSH0RBpw62MQennyu2LfACgtbG0 xlVPrOV87drR5C4KidXjOgI= =Me43 -----END PGP SIGNATURE-----
--__--__--
Message: 3 From: "Aditya Bhasin" <aditya.bhasin@xxxxxxxxxxxx> To: <netfilter@xxxxxxxxxxxxxxxxxxx> Subject: Usage of netfilter Date: Tue, 27 May 2003 15:17:15 -0700
This is a multi-part message in MIME format.
------=_NextPart_000_00D2_01C32463.0E9C9190 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit
Hi,
is it possbile using netfilter and libipq to extract a packet from the IPV4 stream, buffer it in the user space and then put the packet back on the outgoing stream at a later point in time.
All the docs and examples I have looked at seem to read in a packet do an operation on it and then announce a verdit on the packet.
Are there APIs to insert packets into the queue which have not been read from it. If that was allowed I could copy and reject initially and then insert again at a later point in time.
thanks,
aditya
------=_NextPart_000_00D2_01C32463.0E9C9190 Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <TITLE>Message</TITLE>
<META content=3D"MSHTML 6.00.2726.2500" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D628311322-27052003>Hi,</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D628311322-27052003></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D628311322-27052003>is it = possbile using=20 netfilter and libipq to extract a packet from the IPV4 stream, buffer it = in the=20 user space and then put the packet back on the outgoing stream at a = later point=20 in time.</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D628311322-27052003></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D628311322-27052003>All = the docs and=20 examples I have looked at seem to read in a packet do an operation on it = and=20 then announce a verdit on the packet. </SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D628311322-27052003></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D628311322-27052003>Are = there APIs to=20 insert packets into the queue which have not been read from it. If that = was=20 allowed I could copy and reject initially and then insert again at a = later point=20 in time.</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D628311322-27052003></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D628311322-27052003></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D628311322-27052003>thanks,</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D628311322-27052003></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D628311322-27052003>aditya =
</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D628311322-27052003></SPAN></FONT> </DIV></BODY></HTML>
------=_NextPart_000_00D2_01C32463.0E9C9190--
--__--__--
Message: 4 From: "Peter Pohlmann" <peter@xxxxxxxxxxxxx> To: <netfilter@xxxxxxxxxxxxxxxxxxx> Subject: A problem - connections dies Date: Tue, 27 May 2003 16:37:33 -0400
This is a multi-part message in MIME format.
------=_NextPart_000_0058_01C3246E.45EBF540 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable
Hello list,
I have a problem with my masquerading.=20 Can someone supply me a basic configuration. I want to have the private = network open for everything.=20
The current rules are below. Works for pop ,http etc. But ftp is not = proper and connecting to an outside=20 smtp server is a problem too. I can send very small emails but if some = larger email or attachment it stops after transferring some kbs. What = am I missing here ? The server is redhat 9 pppoe to the dsl modem.
#!/bin/sh
modprobe ip_conntrack_ftp modprobe iptable_nat iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT
echo 1 >/proc/sys/net/ipv4/ip_forward echo 1 >/proc/sys/net/ipv4/ip_dynaddr
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS = --clamp-mss-to-pmtu
Thank you in advance, Peter
------=_NextPart_000_0058_01C3246E.45EBF540 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Dwindows-1252"> <META content=3D"MSHTML 6.00.2719.2200" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT size=3D2>Hello list,</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>I have a problem with my masquerading. </FONT></DIV> <DIV><FONT size=3D2>Can someone supply me a basic configuration. I want = to have=20 the private network</FONT></DIV> <DIV><FONT size=3D2>open for everything. </FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>The current rules are below. Works for pop ,http = etc. But ftp=20 is not proper and connecting to an outside </FONT></DIV> <DIV><FONT size=3D2>smtp server is a problem too. I can send very small = emails but=20 if some larger email or attachment it stops after transferring some = kbs. =20 What am I missing here ? The server is redhat 9 pppoe to the dsl=20 modem.</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>#!/bin/sh</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D2>modprobe ip_conntrack_ftp<BR>modprobe = iptable_nat</FONT></DIV> <DIV><FONT size=3D2>iptables -P INPUT ACCEPT<BR>iptables -P OUTPUT=20 ACCEPT<BR>iptables -P FORWARD ACCEPT</FONT></DIV><FONT size=3D2> <DIV><BR>echo 1 >/proc/sys/net/ipv4/ip_forward<BR>echo 1=20 >/proc/sys/net/ipv4/ip_dynaddr</DIV> <DIV> </DIV> <DIV>iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE<BR>iptables -A = FORWARD=20 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu</DIV> <DIV> </DIV> <DIV>Thank you in advance,</DIV> <DIV>Peter</DIV> <DIV> </DIV> <DIV><BR> </DIV></FONT></BODY></HTML>
------=_NextPart_000_0058_01C3246E.45EBF540--
--__--__--
Message: 5 Date: Wed, 28 May 2003 01:32:20 -0700 From: <dtrott@xxxxxxxxxxxxx> To: drew.einhorn@xxxxxxxxxxxx Cc: netfilter@xxxxxxxxxxxxxxxxxxx Subject: vpn between networks with private ip network segment conflicts
If: - You Don't need to access the whole remote network (just a limited number of servers) - Those servers don't clash with anything on your local network or its not too painful to move one or two hosts so they don't clash.
You may be able to kludge it with some proxy arping.
You will need to have: - Both routers on non clashing addresses. - Both routers proxy arp for the other one. - Your local router will have to proxy arp for all the servers you wish to access. - You will need to SNAT all outgoing VPN traffic to your local routers IP (to avoid conflicts on the remote lan).
Reverse local and remote for access in the oposite direction.
Note: I have not tested all this together, the closest I have tried is:
My home network uses:
10.1.100.0/24
My work network uses:
10.1.0.0/16
I proxy arp the subnet on the router at work, but my home router doesn't need to proxy arp or SNAT because the netmask is smaller and there are no conflicts on the work LAN.
This will save you having to mess with the DNS, but to be honest I think the least painful route (in the long run) is just to re-number one of the networks.
This is especially true if you are planing to do anthing with MS networking, because MS networking really doesn't like NAT.
David
PS If bi-directional access is not required you may be able to SNAT to a virtual IP (per some of the other posts), this will save the remote router from needing to proxy arp.
Drew Einhorn Wrote: > My LAN uses network segments 192.168.0.0/24, 192.168.1.0/24, etc. > So does the remote network I need to vpn to (probably using some flavor > of pptp). > > Is there an odd nat variant that will solve this problem. > Probably need to do some kind of dns transformation on each side.
> Is there any easy solution. Perhaps it would be easier (but not easy) > to get the network segments renumbered on one end or the other. > > -- > Drew Einhorn <drew.einhorn@xxxxxxxxxxxx>
--__--__--
Message: 6
From: John Friel III <john@xxxxxxxxxxxx>
To: "'netfilter@xxxxxxxxxxxxxxx'" <netfilter@xxxxxxxxxxxxxxx>
Cc: =?iso-8859-1?Q?=27Leonardo_Rodrigues_Magalh=E3es=27?= <leolistas@xxxxxxxxxxxxxx>
Subject: RE: upgrade to iptabels from ipchains
Date: Wed, 28 May 2003 13:31:43 -0500
> would became this in iptables > > iptables -N soporte > iptables -A soporte -s 10.0.1.1 -j ACCEPT > iptables -A soporte -j DROP > iptables -A FORWARD -s 10.0.0.0/25 -j soporte > iptables -t nat -A POSTROUTING -s 10.0.1.1 -j MASQUERADE
And it should be noted that with these rules in place, all packets that get forwarded to the soporte chain will get DROPPED because the forward rule only forwards IP's in the range of 10.0.0.0-10.0.0.127 and the accept range is restricted to -only- IP 10.0.1.1.
The 4th rule should be:
iptables -A FORWARD -s 10.0.0.0/16 -j soporte
Cheers! John Friel III Frieltek Consulting, Inc.
--__--__--
Message: 7 Date: Thu, 29 May 2003 01:08:22 -0400 From: David T-G <davidtg@xxxxxxxxxxxxxxx> To: NetFilter Users' List <netfilter@xxxxxxxxxxxxxxxxxxx> Cc: George Vieira <georgev@xxxxxxxxxxxxxxxxxxxxxx> Subject: Re: SOLVED : Re: where is libipt_match.so?
--RD6GsZsdEJvsf78O Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable
George --
=2E..and then George Vieira said... %=20 % no no no.. you've forgotten also the --state before mentioning the % states your checking..
Ahhh...
%=20 %=20 % *george searches his scripts* %=20 % See.... as below.. % $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Well, this seems to work and not cause any errors, so it's good enough for me :-)
%=20 % Thanks,
Thank *you*!
:-D
--=20
David T-G * There is too much animal courage in=20
(play) davidtg@xxxxxxxxxxxxxxx * society and not sufficient moral courage.
(work) davidtgwork@xxxxxxxxxxxxxxx -- Mary Baker Eddy, "Science and Health"
http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg!
--RD6GsZsdEJvsf78O Content-Type: application/pgp-signature Content-Disposition: inline
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD)
iD8DBQE+1ZXGGb7uCXufRwARAts7AJ48YyvICTtRce1iBuZDQAlGJ5gpxACeKKAn yIZfP04BuE1EdMkZZOn/EP0= =FHFS -----END PGP SIGNATURE-----
--RD6GsZsdEJvsf78O--
--__--__--
Message: 8
From: John Friel III <john@xxxxxxxxxxxx>
To: "'netfilter@xxxxxxxxxxxxxxx'" <netfilter@xxxxxxxxxxxxxxx>
Cc: =?iso-8859-1?Q?=27Leonardo_Rodrigues_Magalh=E3es=27?= <leolistas@xxxxxxxxxxxxxx>
Subject: RE: upgrade to iptables from ipchains
Date: Wed, 28 May 2003 13:37:33 -0500
> would became this in iptables > > iptables -N soporte > iptables -A soporte -s 10.0.1.1 -j ACCEPT > iptables -A soporte -j DROP > iptables -A FORWARD -s 10.0.0.0/25 -j soporte > iptables -t nat -A POSTROUTING -s 10.0.1.1 -j MASQUERADE
And it should be noted that with these rules in place, all packets that get forwarded to the soporte chain will get DROPPED because the forward rule only forwards IP's in the range of 10.0.0.0-10.0.0.127 and the accept range is restricted to -only- IP 10.0.1.1.
The 4th rule should be:
iptables -A FORWARD -s 10.0.0.0/16 -j soporte
Cheers! John Friel III Frieltek Consulting, Inc.
--__--__--
Message: 9 From: "Preston A. Elder" <prez@xxxxxxxxxxxxx> Organization: Shadow Realm To: netfilter@xxxxxxxxxxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxxxxxx, coreteam@xxxxxxxxxxxxx Subject: iptables/conntrack in enterprise environment. Date: Thu, 29 May 2003 01:13:47 -0400
=2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
I am in an enterprise environment and I'm having some problems with conntra=
ck=20
specifically.
We have a system that acts as a router, however any new inbound connection =
for=20
any machine behind this router is re-directed to a specific port on the loc=
al=20
machine, where an application responds as if it were the system behind the=
=20
router. These systems experience some very high volumes of traffic=20
(sustaining over 30mbit of traffic). Heres a breakdown of TCP socket=20
connections by status at one particular point in time:
ESTABLISHED : 1363
LAST_ACK : 27
TIME_WAIT : 616
=46IN_WAIT2 : 8
=46IN_WAIT1 : 140
SYN_RECV : 6188
CLOSE_WAIT : 365
LISTEN : 3
CLOSING : 5
We have multiple systems performing this task (essentially for load balanci=
ng=20
and to remove a single point of faulure). The systems are dual 1ghz pentiu=
m=20
3's, with 1-2gb of ram, so they're not shy systems. They're running 2.4.20=
=20
kernels (mostly vanilla) with iptables 1.2.7a.
Here are some system limits I am tweaking (ie. the commands to do the=20
tweaking):
echo 1 >/proc/sys/net/ip_forward
echo 524280 >/proc/sys/fs/file-max
echo 524280 >/proc/sys/net/ipv4/ip_conntrack_max
echo 65535 >/proc/sys/net/ipv4/ip_queue_maxlen
echo 65535 >/proc/sys/net/ipv4/tcp_max_syn_backlog
# NONE EST SYN_S SYN_R FIN_W TIME_W CLOSE CLOSE_W LAST_=
A =20
LISTEN
echo "1800 21600 120 60 30 30 10 30 30 =
=20
120 " > /proc/sys/net/ipv4/ip_conntrack_tcp_timeouts
ulimit -H -n 524280
ulimit -S -n 524280
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS=20
=2D --clamp-mss-to-pmt
Because every new connection to one of the systems 'behind' these systems n=
eed=20
to be re-directed to a local port, which is achieved with the command:
/sbin/iptables -t nat -A PREROUTING -j DNAT -i eth0 -p tcp -d <ip-range>=20
=2D --destination-port 1024:65535 --to-destination <local_ip>:<local_port>
Every inbound connection incurs an entry in the connection tracking table. =
It=20
seems, however, that we may be overloading the conntrack system. I can=20
telnet to a different port listening on a secondary (internal) interface (b=
ut=20
the same application), that bypasses the above rule, and get an immediate=20
connection, however establishing a connection 'to' a server behind this=20
router can take a number of seconds, and sometimes may never establish. =20
Whats more connecting directly to the port everything else is being=20
re-directed to via. the 'public' interface itself can take some time (thoug=
h=20
not as long as connecting 'to' a system behind this box).
The conntrack table itself very quickly grows - but it does not clean itsel=
f=20
up when the connection itself dissapears, instead it waits for some=20
pre-determined timeout value, which means even though, as shown above, the=
=20
number of connections in-progress (one way or another) is about 8000=20
connections, the conntrack table is absolutely huge (hundreds of thousands =
of=20
entries), and as time goes on, the larger it gets. To try to combat this,=
=20
I've reduced the biggest timer (how long an established connection stays in=
=20
conntrack) from 5 days to 6 hours (all the connections we have are, and=20
should be, short lived, so that is plenty of time). This helps a bit,=20
however I'm still at a loss to try to understand why conntrack does not cle=
an=20
itself up when the connection gets closed.
Of course, seeing how big the conntrack table is, itself, impacts the syste=
m=20
dramatically. The 'wc -l /proc/net/ip_conntrack' command takes a long time=
=20
to run, and brings the 'active' processing to its knees while doing this.=20
=2D From all appearances, it appears conntrack is hamstringing us. It appe=
ars it=20
is not able to properly handle large-traffic systems, especially where=20
essentially every connection going through the system is nat'd.
I'd appreciate ANY help or thoughts on how to remedy this issue, as I have=
=20
said, this is in use in an enterprise environment (which of course, means I=
=20
cannot divulge the purpose of the application I mentioned earlier (however=
=20
all you really need to know is the application does not really know (or car=
e)=20
weather the connection to it is nat'd, and just uses it as a standard socke=
t=20
connection), however I can give details on the system/kernel/netfilter=20
configuration as necessary, just let me know what further information you=20
require).
I thank you in advance, and apologise for mailing all 3 lists, however I=20 figured someone on ONE of these lists would have an idea or a suggestion.
=2D --=20 PreZ Systems Administrator Shadow Realm
PGP FingerPrint: B3 0C F3 32 DE 5A 7D 90 26 F6 FA 38 CC 0A 2D D8 =46inger prez@xxxxxxxxxxxxx for full PGP public key.
Shadow Realm, a hobbyist ISP supplying real internet services. http://www.srealm.net.au =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE+1ZcVKFp14D8AGEQRAh4jAJ9mhilrpVsDvakS03re/HsT1jcXcwCcDqFT nHqa0y2UPb9s5JgRsGIhP8o=3D =3DbmA5 =2D----END PGP SIGNATURE-----
--__--__--
Message: 10 From: "Preston A. Elder" <prez@xxxxxxxxxxxxx> Organization: Shadow Realm To: Harald Welte <laforge@xxxxxxxxxxxxx> Subject: Re: [netfilter-core] iptables/conntrack in enterprise environment. Date: Thu, 29 May 2003 08:09:52 -0400 Cc: netfilter@xxxxxxxxxxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxxxxxx, coreteam@xxxxxxxxxxxxx
=2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thursday 29 May 2003 04:39 am, Harald Welte wrote:
> On Thu, May 29, 2003 at 01:13:47AM -0400, Preston A. Elder wrote:
> > Hi,
> >
> > I am in an enterprise environment and I'm having some problems with
> > conntrack specifically.
> >
> > They're running 2.4.20 kernels (mostly vanilla) with iptables 1.2.7a.
>
> Do not use 2.4.20 if you want to use connection tracking. 2.4.20
> connection tracking is totally broken due to a change introduced in the
> core kernel.
>
> Please do always use patch-o-matic from CVS. The patch you want to
> apply for fixing this bug is 10_confirm_fix.patch
This patch was applied already. Infact, I'm using Gentoo (but using the=20
'vanilla' kernel from gentoo, so its not got every patch under the sun), an=
d=20
I specifically picked out and applied the followint patches:
018_gcc31-compile-optimizations
021_ecc-20020904
701_iptables-20_iptables-proc
702_iptables-24_conntrack-nosysctl
722_iptables-tcplimit
724_iptables-u32
741_iptables-ip_conntrack_find
742_iptables-ip_ct_refresh_optimization
744_iptables-03_ip_conntrack_proto_tcp-lockfix
747_iptables-06_ftp-conntrack-msg-fix
748_iptables-07_ECN-tcpchecksum-littleendian-fix
752_iptables-10_confirm_fix
753_iptables-10_local-nat-expectfn
759_iptables-24_conntrack-modify-after-free-fix
760_iptables-25_ip_tables-comment-fix
766_iptables-33_ipqueue_memoryleak
764_iptables-31_nat_parse_fix
770_iptables-ip_conntrack-timeouts
900_quick-fixes
902_minor_fixes
Please let me know if you think one is missing I should try.
> Also, considering > > > echo 524280 >/proc/sys/net/ipv4/ip_conntrack_max > > without using a larger hash size (modprobe ip_conntrack hashsize=3Dfoo, > wherer foo should be a prime number and in the range of 524280/2) I'll try this and report back.
> > to be re-directed to a local port, which is achieved with the command:
> > /sbin/iptables -t nat -A PREROUTING -j DNAT -i eth0 -p tcp -d <ip-range>
> > - --destination-port 1024:65535 --to-destination <local_ip>:<local_port>
> >
> > Every inbound connection incurs an entry in the connection tracking
> > table. It seems, however, that we may be overloading the conntrack
> > system.
>
> I've seen systems with way more conntrack entries and higher bandwith.
> Using NAT however, might have a big performance impact.
Well, this system itself isn't doing 'nat', however, by implication, the ab=
ove=20
rule makes every connection nat'd.
> > The conntrack table itself very quickly grows - but it does not clean
> > itself up when the connection itself dissapears, instead it waits for
> > some pre-determined timeout value,
>
> With a non-broken kernel it is 2 minutes, that is TIME_WAIT of a TCP
> socket.
That was not my point. My point was, for up to 5 days later, the system st=
ill=20
has entries in the conntrack table (listed as 'ESTABLISHED'), which have be=
en=20
dead and gone for a long time, conntrack does not realise that connection i=
s=20
utterly closed, and it should drop its conntrack entry. I'm not as worried=
=20
about the lower-value timeouts, but as I said, I saw ALOT of established=20
connections hanging around in the conntrack table (making the conntrack tab=
le=20
about 200,000 entries long, give or take), most of which were entries for=20
connections already closed.
=2D --=20 PreZ Systems Administrator Shadow Realm
PGP FingerPrint: B3 0C F3 32 DE 5A 7D 90 26 F6 FA 38 CC 0A 2D D8 =46inger prez@xxxxxxxxxxxxx for full PGP public key.
Shadow Realm, a hobbyist ISP supplying real internet services. http://www.srealm.net.au =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE+1finKFp14D8AGEQRAmT5AJ48csFfxVIMJQykL5mhG7VQzx/79wCgjmQ1 drFKsTbUeJ8F0EEicWgBosQ=3D =3DQWoJ =2D----END PGP SIGNATURE-----
--__--__--
_______________________________________________ netfilter mailing list netfilter@xxxxxxxxxxxxxxxxxxx https://lists.netfilter.org/mailman/listinfo/netfilter
End of netfilter Digest
_________________________________________________________________
MSN Fotos: la forma más fácil de compartir e imprimir fotos. http://photos.msn.es/support/worldwide.aspx
